Security Firm Uncovers Flaws in Mac OS Xs Darwin

Security company Immunity says it has found several vulnerabilities in Darwin, the implementation of Unix that underlies Apple Computer Inc.s Mac OS X operating system.

Immunity discovered the flaws during a security audit of the source code, which Apple has made freely available under its own Apple Public Source license. The flaws, which affect versions of Mac OS X up to and including 10.3.4, affect the operating systems SearchFS function and at command. The company also found several potential kernel memory overflows.

Immunity is working on producing reliable exploits for them, as part of its security testing program. The company produces a penetration testing tool called Canvas, which allows users to test their own systems security.

However, Immunity emphasized that for the majority of customers, the bugs posed little threat. Instead they are most likely to affect systems with multiple users accessing the system remotely.

The bugs were first discovered in June, during a large-scale source code audit of Darwin by Immunitys security research team. Although the company released the information to its customers then, it did not publicly announce the discovery until Monday, at a security seminar in New York City. In accordance with company policy, Apple was not notified of the issues beforehand, but is said to be analyzing the flaws.

/zimages/2/28571.gifApple recently issued an update to correct 16 potentially serious vulnerabilities in OS X.Click hereto read more.

Although there are no known exploits in the wild that utilize the bugs, the news will increase attention on the security of the Mac platform. According to Danish security company Secunia, 36 security advisories were issued against the Mac in the previous 12 months, compared with 46 for Windows XP. Of these flaws, 61 percent could be exploited remotely over the Internet, compared with 48 percent for Windows.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.